Cyber espionage virus targets Lebanese banks

Security experts have uncovered a new computer virus designed to steal
information from banks in the Middle East and thought to be the fourth in a
family of state-backed cyber attacks, built for espionage and sabotage.

Web wonders: Israel boasts one of the most successful incubators of cyber military technology in the worldPhoto: ALAMY

Named Gauss after an apparent reference to a German mathematician contained in its code, the virus has infected more that 2,500 computers, mainly in Lebanon, according to the Russian security firm Kaspersky Lab.

It is designed to spy on customers of the Lebanese banks BlomBank, ByblosBank and Credit Libanais, analysis showed. Citibank and PayPal customers have also been targeted, Kaspersky Lab said.

Observers speculated that the attack may be an effort to gather intelligence on the finances of Hezbollah, the Syrian government or Iran. Unlike the viruses used by criminals to commit online banking fraud, Gauss targets a very specific set of institutions.

Jeffrey Carr, an independent cyber security expert, said the US government has long monitored Lebanese banks for clues about the activities of militant groups and drug cartels.

"You've got this successful platform. Why not apply it to this investigation into Lebanese banks and whether or not they are involved in money laundering for Hezbollah?" he said, endorsing claims that Gauss is related to other state-backed computer viruses.

As well as banking credentials, the information covertly harvested by Gauss includes web browsing history and passwords, and detailed technical information about the computer that could assist further attacks.

Kaspersky Lab said it was in the early stages of analysing the code and that it was also possible that Gauss is capable of sabotaging critical infrastructure. Researchers believe one module of code, named Godel after another mathematician, could be a “warhead”, able to cause real damage.

The researchers, who called for help cracking Godel and other encrypted portions of the virus, believe it was created by the same people behind a trio of advanced cyber attacks in the last two years.

Gauss shares unusual design features and elements of software code with Duqu, Flame and Stuxnet, three other espionage and sabotage viruses that researchers believe must have been created by state agencies because of their targets and the level of investment required. Kaspersky Lab said it believed all four were part of the same covert programme.

Other security researchers who have not yet analysed Gauss in detailed cautioned that it could just be the work of criminals who copied state-backed designs. Kaspersky Lab was dismissive, however.

“After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories,'" it said.

The discovery again raises the stakes in the secret conflict being waged online. Stuxnet, discovered in 2010 and designed to disrupt Iranian nuclear enrichment, was seen as the herald of a new era of statecraft. The others were discovered later as part of an effort by the UN’s International Telecommunications Union to understand state-backed cyber attacks.

It is now known that Stuxnet was created in a joint operation called “Olympic Games” by Israeli and American agencies and personally sanctioned by President Obama, according to The New York Times.

Like Gauss, Duqu and Flame, discovered more recently, are espionage rather than sabotage tools, but all share features with Stuxnet. They are able to spread in a similar way to computers not connected to the internet via USB sticks, for instance.

Kaspersky Lab said that after it discovered Gauss in July the online systems used to remotely control it were shut down. The International Telecommunications Union said it would nevertheless issue a warning to member states to protect their systems.